You are on page 1of 15

Project Part 2

Members:
Adams, Jerold Lasane, Anthony
Alexander, Cliffton Lopez, Marie
Dubin, Chris Matthews, Amity
Irvin, Janoyia Morales, Alejandro
Johns, Philip
Schulman, Matthew
Davonte Brown
Jones, Xavier


Multi-Layered Security Plan: For Richman Investments
Main Branch: Phoenix, Arizona
Eight Branches: Atlanta, Georgia; Chicago, Illinois; Cincinnati, Ohio; Denver, Colorado; Los
Angeles, California; Montreal, Canada; NY City, New York; Washington, D. C.
Addressing this premise: Richman, has 5,000 employees throughout the main office and
several branch offices, you must research solutions and detail the appropriate access controls
including policies, standards, and procedures that define who users are, what they can do, which
resources they can access, and which operations they can perform on a system.
PART ONE: Description and definitionof the level of security classification from top to lower
and determining the person(s) or users for each security level. From highest level which is the
5
th
Level to the lowest level which is 1
st
Level.
Level A. 5th Level Security Clearance: Executives VP level and above
Level B. 4th Level Security Clearance: General Managers
Level C. 3
rd
Level Security Clearance: Supervisors, Leads and customers
Level D. 2
nd
Level Security Clearance: Hourly employees
Level E: 1
st
Level Security Clearance: Temp employees
PART TWO: Domain Security Plan ALEX
1. User Domain: This first layer of security in a multi-layer security plan is the weakest link
in the I T I nfrastructure, certain protocols and procedures need to be followed.
Implement and Conduct Security Awareness Training.
Implement Acceptable Use Policy (AUP).
Monitor employee behaviors.
Restrict access to users to certain programs and areas.
2. Workstation Domain: The second layer of security in a MLS plan. This is where most users
connect via Workstation computers, PDAs, Laptops and smartphones.
Admins create a strong password policy, enforcing users to create strong passwords.
Enable Up to date anti-virus programs.
Implement a mandated Employee Security Awareness Training.
Limit access to company approved devices only.
Disable CD drives and USB ports.

3. LAN Domain: The third layer of security in the MLS plan. This is the collection of
computers in an area to one another or to a common connection medium. To prevent the
unauthorized access, recommend implementing the following:
Physically secure the wiring closets and data centers.
Implement encryption procedures.
Implement strict access policies and second-level authentication.
Implement WLAN network keys that require a password for wireless access.
Implement LAN server and configuration standards, procedures, and guidelines.

4. LAN-to-WAN Domain: The fourth layer in the MLS plan. This is where the I T
infrastructure is linked to a wide area network and the I nternet.
Disable ping, probing and port scanning.
Apply strict security monitoring controls for intrusion detection and prevention.
Update devices with security fixes and software patches immediately.
PART THREE: Standard Enumeration and Definition
PART FOUR: Tiers of Protection for each level-Level A, Level B, Level C, Level D, Level E
PART FIVE: Policies
I. Acceptable Use Policy MARIE
Richman Investments do recognize the value of computer and other electronic resources to
enhance the administration and operations of the company. Richman I nvestments encourages
the responsible use of computers; computer networks, including the Internet; and other electronic
resources in support of the mission and goals of the Richman I nvestments.
Richman Investments adopts this policy governing the use of electronic resources and the
Internet to provide guidance to individuals and groups because the Internet is an unregulated,
worldwide vehicle for communication, and information available to staff impossible to control.
Richman Investments Rights and Responsibilities
It is the policy of the Richman I nvestments to maintain an environment that promotes ethical
and responsible conduct in all online network activities by staff and management. It shall be a
violation of this policy for any employee or other individuals to engage in any activity that does
not conform to the established purpose and general rules and policies of the network. Within this
general policy, the Richman I nvestments recognizes its legal and ethical obligation to protect the
well-being of all employees. Therefore, the Richman I nvestments retains the following rights
and recognizes the following obligations:
1. Logging, use of the network, monitor fileserver space utilization by users, Richman
I nvestments assumes no responsibility or liability for files deleted due to violation of
fileserver space allotments.
2. In removing any user account on the network.
3. Monitoring the use of all online activities. Including real-time monitoring of network
activity and/or maintaining a log of Internet activity for later review.
4. Provision of internal and external controls as appropriate and feasible. These controls
shall include the right to determine who will have access to Richman I nvestments-
owned equipment and, to exclude those who do not abide by the Richman Investments 's
acceptable use policy or other policies governing the use of school facilities, equipment,
and materials. Richman I nvestments reserves the right to restrict online destinations
through software or other means.
5. Provision of guidelines and to make reasonable efforts to train staff in the acceptable use
and policies governing online communications.
Staff Responsibilities:
1. All trainers who are supervising staff to control electronic equipment, or otherwise have
occasion to observe staffs use of said equipment online shall make reasonable efforts to
monitor the use of this equipment to assure that it conforms to the mission and goals of
the Richman I nvestments.
2. Staff should make reasonable efforts to become familiar with the Internet and its use so
that effective monitoring, instruction, and assistance may be achieved.
User Responsibilities: The use of the electronic media provided by the Richman I nvestments is
a privilege that offers a wealth of information and resources for the company. These resources
are offered and available to all staff and other patrons at no cost. All users must agree to learn
and comply with all of the provisions of this policy in order to maintain these privileges.
Acceptable Use:
1. The use of the Internet must be in support of Richman I nvestments.
2. All proper codes of conduct in electronic communication must be used. It is inappropriate
to give out personal information. Whenever a staff is using e-mail, extreme caution must
always be taken in revealing any information of a personal nature.
3. All network accounts are to be used only by the authorized owner of the account for the
authorized purpose.
4. It is assumed that all communications and information accessible via the network are
private property.
5. All staff members must have prior approval from system administrator for subscriptions
to mailing lists and bulletin boards. All mailing list subscriptions will be monitored and
maintained, and files will be deleted from the personal mail directories to avoid excessive
use of fileserver hard-disk space.
6. Be polite. All staff needs to exhibit exemplary behavior on the network as a
representative of Richman I nvestment.
7. Once a year, Richman Investment will make determinations on whether specific uses of
the network are consistent with the acceptable use practice.
Unacceptable Use-Prohibition:
1. It is prohibited to give out personal information about another person. This includes
home address and phone numbers.
2. All or any use of the network for commercial or for-profit purposes.
3. Use of the network in excess for personal business shall be cause for disciplinary action.
4. It is prohibited for any use of the network for product advertisement or political lobbying.
5. No intentional use of the network to seek information on, obtain copies of, or modify
files, other data, or passwords belonging to other users, or misrepresent other users on the
network.
6. No use of the network shall serve to disrupt the use of the network by others. Hardware
and/or software shall not be destroyed, modified, or abused in any way.
7. Malicious use of the network to develop programs that harass other users or infiltrate a
computer or computing system and/or damage the software components of a computer or
computing system is prohibited.
8. It is prohibited to be involved in hate mail, chain letters, harassment, discriminatory
remarks, and other antisocial behaviors. Also to access or process pornographic material,
inappropriate text files (as determined by the system administrator or building
administrator), or files dangerous to the integrity of the local area network is prohibited.
9. It is prohibited for unauthorized installation of any software, including shareware and
freeware, for use on Richman I nvestments electronic devices.
10. The Richman I nvestments network may not be used for downloading entertainment
software or other files not related to the mission and objectives of the Richman
I nvestments for transfer to a user's home computer, personal computer, or other media.
This prohibition pertains to freeware, shareware, copyrighted commercial and non-
commercial software, and all other forms of software and files not directly related to the
instructional and administrative purposes of the Richman I nvestments.
11. It is also prohibited to:
A. Download, copy, otherwise duplicating, and/or distributing copyrighted materials
without the specific written permission of the copyright owner.
B. Use of the network for any unlawful purpose.
C. Use of profanity, obscenity, racist terms, or other language that may be offensive
to another user.
D. Establishing network or Internet connections to live communications, including
voice and/or video (relay chat), is prohibited unless specifically authorized by the
system administrator.
Disclaimer
1. The Richman I nvestments cannot be held accountable for the information that is
retrieved via the network.
2. System administrators have access to all mail and will monitor messages. Pursuant to the
Electronic Communications Privacy Act of 1986 (18 USC 2510 et seq.), notice is hereby
given that there are no facilities provided by this system for sending or receiving private
or confidential electronic communications. Messages relating to or in support of illegal
activities will be reported to the appropriate authorities.
3. The Richman I nvestments will not be responsible for any damages you may suffer,
including loss of data resulting from delays, non-deliveries, or service interruptions
caused by our own negligence or your errors or omissions. Use of any information
obtained is at your own risk.
4. The Richman I nvestments reserves the right to change its policies and rules at any time.
User Agreement to be signed by all employees of Richman Investments
I have read, understood, and will abide by the above Acceptable Use Policy when using
computer and other electronic resources owned, leased, or operated by the Richman
I nvestments. I further understand that any violation of the regulations above is unethical and
may constitute a criminal offense. Should I commit any violation, my access privileges may be
revoked, disciplinary action may be taken, and/or appropriate legal action may be initiated.


User Name (please print)

User Signature






Date


II. Backup Policy-JANOYIA

Purpose:
The purpose of this policy is to comply with being protected and prepared and pplying Security
Rules and Requirements pertaining to its response to an emergency or other occurrence that
damages systems that contain
Electronic protection of the companies System and Database.


Scope:

The scope of this Policy contains procedures regarding a contingency plan that shall be
developed and implemented in the event of an emergency, disaster or other occurrence (i.e. fire,
vandalism, system failure and natural disaster) when any system that contains electronic
protecting the system and database is affected, including data backup, disaster recovery planning
and emergency mode operation plan. This policy covers all electronic protection of companies
database, Disk drives, Tape drives, Digital Audio Tapes, DAT drives, Auto Loader Tape
Systems, Magnetic Optical Drives, Removable Disks, Disk Drives. Which is the employees
identifiable data systems information. This policy covers all Systems Database, which is
available currently, or which may be created, used in the future. This policy applies to all
Financials, Information technology, Human Resources, Management, Legal and non-employees
(including visiting clients, courtesy, affiliate, and adjunct departments, personnel, and others)
who collect, maintain, use, or transmit all the companies Data and System Information of
Richman Investment and Consulting Firm.


Policy:
Richman Investments requires each system that collects, maintains, uses or transmits Information
that has been documented. A data backup plan to create, maintain, and recover exact copies of all
departments Information. The Data Backup Plan must require that all media used for backing up
be stored physically in a secure environment, such as a protected, off-site storage facility. If an
off-site storage facility or backup service is used, a written contract or agreement must be used to
ensure that the vendor will safeguard the Information and Database in an appropriate manner. If
backup media remains on-site, it must be stored physically in a secure location other than the
location of the backed up computer systems. Data backup procedures detailed in the Data
Backup Plan must be tested on a periodic basis to ensure that exact copies of information so it
can be recovered and made available.


Definitions:

Protected Database and Systems Information: Individually identifiable data information
transmitted or maintained in any form.

Electronic Protected Network and Data Information: Individually identifiable information
transmitted or maintained in electronic form.

Responsibilities:

Network administrators are responsible for adhering to the standards outlined in this policy when
administering Richman Investment computers or network.



Administration and I nterpretations:
This policy shall be administered by Information Security. Questions regarding this policy
should be directed to the Information Security Officer.

Amendment and Termination of this Policy:
The Richman Investment reserves the right to modify, amend or terminate this policy at any
time. This policy does not constitute a contract between the Database and Systems and its faculty
or employees.

References to Applicable Policies:
Richman Investment Final Security Rule, 45 CFR Parts 160, 162, and 164
Department and Human Services,
http://www.cms.hhs.gov/richmaninvestment/networks/regulations/security/default.asp, February
20, 2003.

Exceptions: None

Violations and Enforcement:

Any known violations of this policy should be reported to the Corporate Headquarters Located in
Phoenix, Arizona Information Security
Officer at 402-280-2386 or via e-mail to infosec@Richmeninvest.edu. Violations of this policy
can result in immediate withdrawal or suspension of system and network privileges and/or
disciplinary action in accordance with Companies procedures. The Company may advise law
enforcement agencies when a criminal offense may have been committed.

III. Incident Response Policy-ALEX
IV. Virtual Private Network (VPN)policy- JEROLD
V. Wireless Policy-JEROLD
VI. Network Security Policy-ANTHONY
VII. Confidential Data Policy-ANTHONY
VIII. Mobile Device Policy-CLIFF
IX. Outsourcing Policy-CLIFF
X. Email Policy-CLIFF
XI. Password Policy-DAVID
XII. Network Access Policy
XIII. Remote Access Policy-DAVID
XIV. Guest Access Policy
XV. Third Party Connection Policy
XVI. Encryption Policy-MATTHEW
XVII. Data Classification Policy-MATTHEW
XVIII. Retention Policy-PHILIP
XIX. Physical Security Policy-PHILIP


PART SIX: Security Standard and procedures for customers.
There are three steps for adhering to the -
First, Assess; Second, Remediate; Third, Report
Network security is a never-ending task; it requires ongoing vigilance. Securing your wireless
network can be particularly tricky because unauthorized users can quietly sneak onto your network,
unseen and possibly undetected. To keep your WLAN secure, its important to stay on top of new
wireless vulnerabilities. By regularly performing a vulnerability assessment on your wireless network,
you can identify and close any security holes before a hacker can slip through them.
With a WLAN vulnerability assessment, youre figuring out what your wireless network looks like to
the outside world on the Internet. Is there an easy way in to your network? Can unauthorized
devices attach themselves to your network? A WLAN vulnerability assessment can answer these
questionsand more.
1. Discover wireless devices on your network. You need to know everything about each wireless
device that accesses your network, including wireless routers and wireless access points (WAPs) as
well as laptops and other mobile devices. The scanner will look for active traffic in both the 2.4GHz
and 5GHz bands of your 802.11n wireless network. Then, document all the data you collect from the
scanner about the wireless devices on your network, including each devices location and owner.
2. Hunt down rogue devices. Rogue devices are wireless devices, such as an access point, that
should not be on your network. They should be considered dangerous to your network security and
dealt with right away. Take your list of devices from the previous step and compare it to your known
inventory of devices. Any equipment you dont recognize should be blocked from network access
immediately. Use the vulnerability scanner to also check for activity on any wireless bands or
channels you dont usually use.
3. Test your authorized access points. Make sure the WAPs on your network are just as secure
as your routers and any other device that can be accessed from the Internet. Because anyone can
gain access to your network through a WAP, it must have the latest security patches and firmware
installed. Make sure youve changed the default password from the factory-set admin to a strong,
hard-to-crack password. Also, check that the WAP is configured to use the most secure options such
as the strongest available authentication setting and an encrypted admin interface, is using filters to
block unauthorized protocols, and is sending security alerts.
4. Update your device inventory. Now is a good time to find out if users have brought in any new
wireless devices and check for any other new 802.11g or n devices that are accessing your WLAN.
Update your inventory to include every smartphone, tablet, laptop, desktop, voice-over-IP (VoIP)
phone, and any other wireless device that is approved to access your network. For each of these
devices, find out if it is running the most current operating system and associated security patches,
is running current antivirus and antispam software, and is configured according to your companys
security policy.
5. Take action and eliminate vulnerabilities. The last step is to plug the holes your vulnerability
scanner reveals. For instance, install missing or new security patches to your WAPs and to users
devices, change passwords so theyre more secure, and re-educate users about your security policy
and acceptable.
Of course, completing these five steps doesnt mean your work is done. You should test your fixes,
making sure they indeed closed the security holes. And then mark your calendar for the next
regularly scheduled WLAN vulnerability assessment. http://blogs.cisco.com/smallbusiness/5-steps-
for-assessing-your-wireless-network-security/
Vulnerability is a weakness in a covered device that can be exploited by an attacker to gain
unauthorized access to covered data. An effective vulnerability assessment and remediation
program must be able to prevent the exploitation of vulnerabilities by detecting and
remediating vulnerabilities in covered devices in timely fashion. Proactively managing
vulnerabilities on covered devices will reduce or eliminate the potential for exploitation and
save on the resources otherwise needed to respond to incidents after exploitation has
occurred. System and Network Security (SNS) provides a centrally managed campus
service that campus units can use to comply with this
requirement. https://security.berkeley.edu/content/continuous-vulnerability-assessment-
remediation-guideline
A security report, in the simplest terms is a factual retelling of an incident, event or observation.
The purpose of the report is so that it is possible to access details of an occurrence long after
memories have faded. This can be useful for issues as serious as court cases and insurance claims
or to simply provide information which can contribute to improving the policies or procedures on a
site.
Let's take a look now at the five steps involved in making a great report!
1. It is a security report, not a security diary
This means that you should never personalize the report and write in the first person. You should
write in the third person and refer to yourself by name, or if you have established your name and that
you are the writer you may refer to yourself as 'the writer'.
To show how that might look,
"While on routine patrol the writer, Security Guard (S/G) Joe Blow discovered that..."
From this point on the report may refer to security guard Joe Blow as 'The writer' and not have to
write out his entire name each time.
It can be a bit tricky for some writing in the third person but you'll get used to it!

2. Who, What, When, Where, Why and How?
Sometimes, especially if a complicated and very dynamic event has occurred it can be a little
intimidating trying to figure what to write or even where to start.
In every instance it is best to remember that you will be trying to answer the following questions.
WHO: Who were the people involved. Did you get all their information?
WHAT: What were the actions and events that took place during the incident?
When: What was the date and time the incident took place?
Where: What is the specific location(s) where the incident took place?
Why: Describe and explain the purpose of your own actions as it pertains to the incident. Subject
persons may also volunteer motivations for their actions.
How: The vandal broke a window, but did she do it with a rock, or a stick, with her fist?
3. Paint a Clear Picture.
If you answered all the questions in #2 you are well on your way, but there are still a few things to be
mindful of.
Not everyone who reads the report will be from the world of security, so write the report in plain
language and avoid security jargon.
An acronym or abbreviation may be used only if its meaning has first been established. You will
see that this has been done for 'security guard' and 'S/G' in #1.
Avoid slang unless it is a direct quote from a subject person.
Proper grammar, punctuation and syntax all count and not only make your report easier to
understand, it makes it more credible to the reader.
Resist the urge to be poetic or erudite.
Include as much detail as possible and remember you can't assume the reader will know any of
the details unless you describe them.
Include photographs, or failing that sketches. A picture tells a thousand words, after all.
4. Be Objective
While it is virtually impossible to be a 100% neutral observer in what are sometimes very emotionally
charged events, every effort must be made to remain objective.
This means reporting the facts of your observations and not inserting your opinions and biases. To
keep your opinion out is not so hard a task, but to keep out your personal biases can be a little
trickier and maybe harder for you to see for yourself that you are doing it in the first place.
You might be tempted to make it clear in a situation who you think was in the wrong by how you
word your report, but most readers will be savvy enough to detect this and while it may be well
intentioned it could very well backfire.
Res Ipso Facto.




5. Get lots of information!
The more information you can provide the better your report will be. This does not mean to go on for
pages and pages of descriptive prose, but rather that a person who is reading your report who
wasn't present at the time it occurred will only know as much about that event as is written in the
report. Be concise but also information rich. Think back to #2, and if you are pretty sure you have
done a thorough job of answering all of those questions you should do just fine.
Also, it must be stressed that as uncomfortable as it can feel when asking your report will be much
stronger if you verify as much of the information as possible in regards to the persons involved.
There is a difference between knowing someone is Joe Smith because they told you so, and
knowing it because you have seen their passport or driver's license.


PART SEVEN: Standard Compliance for Card Brands used by the company
EXAMPLES: American Express, Discover Financial Services, JCB International,
MasterCard, Visa Inc., Visa Europe
PART EIGHT: Security Standard forms to implement security policies. (Attachments)
Policy Acknowledgement Form
Security Incident Report
Notice of Policy Noncompliance
Account Setup Request
Guest Access Request
Request for Policy Exemption
PART NINE: IT Department- Responsibilities and detailed description of responsibilities
Auditing
Monitoring
Back-up
Risk, Response and Recovery
Determine the types of Encryption to combat the type of malicious codes and malware
Description of the Flow of Communication
Education- Security Awareness and Training
PART TEN: SSCP Seven Domain: INFORMATION SECURITY Responsibilities
1. Access Controls policies, standards and procedures that define who users are, what
they can do, which resources and information they can access, and what operations they
can perform on a system.
i. Logical Access Controls - Subjects & Objects
ii. Authentication Mechanisms
iii. Access Control Concepts
iv. Internetwork Trust Architectures
v. Identity Management
vi. Cloud Computing
2. Security Operations and Administration identification of information assets and
documentation of policies, standards, procedures and guidelines that ensure
confidentiality, integrity and availability.
i. Code of Ethics
ii. Security Administration
iii. Change Management
iv. Security Evaluation and Assistance
v. Security Awareness
vi. Information Communication Technology Infrastructure
vii. Endpoint Device Security
viii. Data Management Policies
ix. Security Concepts
3. Monitoring and Analysis determining system implementation and access in
accordance with defined IT criteria. Collecting information for identification of, and
response to, security breaches or events.
i. Continuous Monitoring
ii. Analysis of Monitoring Results
4. Risk, Response and Recovery the review, analysis and implementation processes
essential to the identification, measurement and control of loss associated with unplanned
adverse events.
i. Risk Management Process
ii. Security Assessment Activities
iii. Incident Handling Analysis
iv. Business Continuity Plan (BCP)
v. Disaster Recovery Plan (DRP)
5. Cryptography the protection of information using techniques that ensure its integrity,
confidentiality, authenticity and non-repudiation, and the recovery of encrypted
information in its original form.
i. Concepts & Requirements of Cryptography
ii. Certificate and Key Management
iii. Secure Protocols
6. Networks and Communications the network structure, transmission methods and
techniques, transport formats and security measures used to operate both private and
public communication networks.
i. Networks
ii. Telecommunications
iii. Remote Access
iv. Firewalls & Proxies
v. Wireless & Cellular Technologies
7. Malicious Code and Activity countermeasures and prevention techniques for dealing
with viruses, worms, logic bombs, Trojan horses and other related forms of intentionally
created damaging code.
i. Malicious Code
ii. Malicious Code Countermeasures
iii. Malicious Activity
iv. Malicious Activity Countermeasures
Threat Countermeasures
Spoofing user identity
Use strong authentication.

Do not store secrets (for example, passwords) in plaintext.

Do not pass credentials in plaintext over the wire.

Protect authentication cookies with Secure Sockets Layer (SSL).
Tampering with data
Use data hashing and signing.

Use digital signatures.

Use strong authorization.

Use tamper-resistant protocols across communication links.

Secure communication links with protocols that provide message integrity.
Repudiation Create secure audit trails.

Use digital signatures.
Information disclosure
Use strong authorization.

Use strong encryption.

Secure communication links with protocols that provide message
confidentiality.

Do not store secrets (for example, passwords) in plaintext.
Denial of service
Use resource and bandwidth throttling techniques.

Validate and filter input.
Elevation of privilege
Follow the principle of least privilege and use least privileged service
accounts to run processes and access resources.



REFERENCES:
Sources: Mircosoftkb.acronis.com/knowledgebaseTechnetmircos
http://msdn.microsoft.com/en-us/library/ff648641.aspx
http://msdn.microsoft.com/en-us/library/ff648641.aspx